W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2018

Re: CORS restrictions on preflight (too) strict?

From: Ruben Verborgh (UGent-imec) <Ruben.Verborgh@UGent.be>
Date: Fri, 3 Aug 2018 23:21:29 +0000
To: Daniel Veditz <dveditz@mozilla.com>
CC: "Miel Vander Sande (UGent-imec)" <Miel.VanderSande@UGent.be>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Herbert Van de Sompel <hvdsomp@gmail.com>
Message-ID: <E832DD66-1804-488E-B379-892C8485CB86@ugent.be>
> I think Ruben went wrong trying to argue all Accept-* headers are
> safe.

I still haven't been proven wrong, but I get your point.

> or pursued the
> "Safe-*" header option Anne suggested. Though that, of course, would
> require the Memento protocol changing it's headers.

…and that's of course not feasible.

But the more interesting option, as suggested by Anne in another channel,
is Origin Policy: https://github.com/whatwg/fetch/issues/326#issuecomment-239423301

Best,

Ruben
Received on Friday, 3 August 2018 23:22:32 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 August 2018 23:22:33 UTC